Privacy Policy

PopSmart Studio ("Studio", "we", "us", or "our") is an AI virtual fitting and image generation application for Shopify merchants. This Privacy Policy explains how Studio collects, uses, discloses, and safeguards data when you or your customers use the application.

1. Information We Collect

1.1 Store Data via Shopify API

With your explicit permission, Studio accesses the following data through the Shopify API (OAuth scopes: read_products, write_products, read_themes, read_orders, read_customers, read_returns, write_pixels, read_customer_events, read_reports, read_metaobjects, write_metaobjects, read_locales):

• Product catalog — product images, titles, descriptions, variants, and metadata (used for AI image generation and Publisher posts)
• Theme and storefront data — read-only theme information for widget installation
• Customer data (limited) — customer IDs and Customer Segments are accessed via read_customers to match anonymous try-on interactions with subsequent purchases for Try-On Impact analytics and to surface merchant-defined segments in the dashboard. We do not access individual customer names, emails, or contact details.
• Orders — orders are queried for up to 60 days (a 30-day analytics window plus a 30-day return-baseline buffer) to measure try-on-attributed conversion and return rates
• Web Pixel events — try-on widget interactions collected via write_pixels and read_customer_events
• Store settings — shop name, domain, currency, locale, and admin email
• Metaobjects — read and write access for optional Body Profile storage
• Returns — return records used for Try-On Impact return-rate comparison

1.2 Merchant Information

• Shopify store domain, admin email, and billing plan (via OAuth + Shopify Billing API)
• Design and configuration preferences (brand colors, preset selections, saved AI generation presets)
• Support ticket communications

1.3 Customer Photos (Virtual Try-On)

When a store visitor uses the virtual try-on widget, they may upload a photo of themselves so that Studio can render how products would look on them. We treat these photos with strict safeguards:

• Stored in a private Cloudflare R2 bucket (studio-private), accessible only via short-lived signed URLs (1-hour expiry)
• Automatically deleted within 24 hours of upload by an automated cleanup job
• Transmitted to Google Gemini over TLS 1.2+ for image generation
• EXIF metadata (including GPS coordinates) is stripped on upload before storage
• Never used for AI model training, never shared with third parties beyond the processor (Google Gemini) needed to render the try-on, and never retained beyond 24 hours

1.4 Body Profile Data (Optional)

Store visitors may optionally save a body profile (approximate height, preferred size). This data is:

• Stored as a Metaobject on the merchant's Shopify store
• Encrypted at rest using AES-256-GCM
• Associated only with the visitor's authenticated Shopify Customer Account (via Customer Account API OAuth with PKCE)
• Deletable by the visitor at any time from their Customer Account

1.5 Social Integration Tokens (Publisher)

When a merchant connects Instagram, Facebook, or Pinterest via the Publisher module, the provider's OAuth access tokens are:

• Encrypted at rest using AES-256-GCM
• Used only to post content and fetch account, page, or board information on the merchant's behalf
• Never shared with third parties
• Revocable at any time from Studio or from the provider's settings

1.6 Meta Publisher Data (Facebook and Instagram)

What Facebook/Instagram data we access:

• List of Facebook Pages you administer — Page IDs, Page names, and Page access tokens returned by Meta via pages_show_list
• Facebook Page publishing permission — permission to publish photos and multi-photo posts to the connected Page via pages_manage_posts
• Connected Instagram Business account information — Instagram account ID and username via instagram_business_basic (Instagram Basic account-identification data)
• Instagram content publishing permission — permission to create and publish media containers to the connected Instagram Business account via instagram_business_content_publish
• Publishing results returned by Meta — platform post IDs, status, timestamps, and post URLs or permalinks for posts created through Studio

How we use this data:

• The Facebook Pages list is used to identify eligible Pages, show connection status, and store the selected or default Page as the Facebook Publisher destination inside Studio.
• Facebook Page tokens are stored encrypted and used only when the merchant asks Studio to publish a Facebook post, fetch the resulting permalink, or maintain the connection state.
• Instagram account information is used to show which Instagram Business account is connected and to send merchant-approved images and captions to that account.
• Meta post IDs, URLs, and timestamps are used for the in-app Publish History, retry/support diagnostics, billing reconciliation, and merchant-facing "View Post" links.
• We do not use Meta account, Page, or post data for advertising profiles, resale, cross-merchant targeting, or AI model training.

How long we retain it:

• Meta OAuth tokens are retained only until the merchant disconnects the integration, removes PopSmart Studio from Meta settings, uninstalls Studio, or requests deletion. Tokens are deleted or marked revoked when access is removed.
• Connected Page and Instagram account identifiers and names are retained with the connection record while the integration remains active, then deleted with the connection or store data.
• Published post records are retained while Studio remains installed so merchants can view Publish History, open published posts, troubleshoot failures, and reconcile credits. They are deleted with store data through Shopify shop/redact after uninstall or earlier on a valid deletion request.

1.7 Pinterest Publisher Data

What Pinterest data we access:

• Pinterest account information — account ID and username via user_accounts:read
• Pinterest boards — board IDs and names via boards:read so Studio can show board choices and remember the selected board
• Board creation permission — boards:write is used only to create a default board for the merchant if the connected account has no available board
• Pin publishing permission — pins:write is used to create Pins from merchant-approved images, titles, and descriptions
• Pin read permission — pins:read is requested for Publisher verification and history support for Pins created through Studio; we do not scan unrelated Pins for profiling or advertising

How we use this data:

• Pinterest account and board data is used to display the connected account, populate the board selector, and choose the destination board for each Pin.
• Pinterest access and refresh tokens are stored encrypted and used only to list boards, refresh the connection, create merchant-approved Pins, and store resulting Pin IDs and URLs.
• For carousel-style publishing, Studio creates one Pin per image because Pinterest does not provide a native carousel publishing API.
• We do not use Pinterest account, board, or Pin data for advertising profiles, resale, cross-merchant targeting, or AI model training.

How long we retain it:

• Pinterest OAuth tokens are retained until the merchant disconnects Pinterest, removes PopSmart Studio from Pinterest app settings, uninstalls Studio, or requests deletion.
• Selected board IDs/names and connected account identifiers are retained while the Pinterest integration remains active, then deleted with the connection or store data.
• Published Pin records and permalinks are retained while Studio remains installed for Publish History, support diagnostics, retry context, and billing reconciliation, then deleted through Shopify shop/redact after uninstall or earlier on a valid deletion request.

1.8 Usage and Behavioral Analytics

• Aggregated try-on widget interactions (clicks, model selections, completions) collected via the Web Pixel Extension on merchant storefronts, and forwarded to Mixpanel via our server-side analytics pipeline
• Image generation pipeline events (job success/failure, duration, resolution)
• Publisher post events (platform, success, click-through)
• Merchant dashboard page views and feature usage (via Mixpanel)
• Merchant email engagement

Visitor-side tracking uses anonymous session identifiers and device-level identifiers (including session cookies and local storage values scoped to the merchant's store). Studio does not collect visitor names, email addresses, physical addresses, or payment information.

1.9 Error Logs and Performance Metrics

We use Sentry to capture application errors and performance metrics. Our Sentry configuration redacts the following sensitive data before reporting: the Authorization, Cookie, x-shopify-access-token, x-internal-auth, x-sdk-token, and x-goog-api-key headers, and URL query parameters named key, token, access_token, and api_key.

1.10 Payment Data

All subscription and one-time-pack transactions are processed entirely by Shopify's billing system. Studio does not receive, store, or process payment card numbers, bank account details, or any other payment instrument data. We only receive billing event metadata (plan, charge amount, billing period) from Shopify's Billing API.

2. How We Use Your Information

• AI image generation — product images (and, for virtual try-on, customer photos) are processed through Google Gemini to generate model photos, remove backgrounds, and compose lifestyle scenes
• Virtual try-on — customer photos are rendered against your products to preview fit and styling
• Publisher — your content is posted to connected social platforms with AI-generated captions, SEO metadata, and alt text
• Analytics — aggregated metrics to calculate try-on conversion lift and return-rate comparisons
• Billing — tracking credit consumption against your subscription or pack balance
• Merchant communications — performance digests, usage alerts, moderation and ban notifications, and operational emails (opt-in/out per category where legally permitted)
• Service improvement — aggregated, de-identified analytics

3. Third-Party Services

Studio relies on the following third-party providers. Each processes data only as necessary to deliver its function and is bound by its own privacy policy and data processing agreement:

• Google Gemini (Google LLC) — AI image generation and virtual try-on processing; receives product images and customer photos in transit
• Cloudflare R2 — object storage (public bucket for generated images; private bucket with 24-hour TTL for customer photos)
• Amazon Web Services (SES) — delivery of merchant notification emails
• Google (Gmail API) — support ticket inbox
• Sentry — application error monitoring (sensitive data redacted before reporting)
• Mixpanel — merchant dashboard product analytics
• Meta Platforms (Instagram, Facebook) — OAuth connections for Publisher
• Pinterest — OAuth connection for Publisher
• remove.bg — fallback background removal when client-side processing is unavailable

4. Data Retention

• Generated image outputs — retained for 30 days after creation; pinned items retained while your subscription is active
• Customer photos (virtual try-on) — deleted within 24 hours of upload
• Body Profile Metaobjects — retained until the visitor deletes the profile or requests erasure
• Social OAuth tokens and connected account identifiers — retained until the merchant disconnects the integration, revokes access at the provider, uninstalls Studio, or requests deletion
• Publisher post records — retained while Studio remains installed for Publish History, retry/support diagnostics, and billing reconciliation; deleted with store data through Shopify shop/redact after uninstall or earlier on a valid deletion request. Soft-cancelled Publisher jobs may be deleted after the operational cleanup window.
• Usage and analytics events — aggregated data retained up to 24 months; individual records deleted on GDPR request
• Merchant account data — retained while your subscription is active; deleted within 30 days of app uninstall via Shopify's shop/redact webhook
• Support ticket communications — retained in our support inbox (Google Gmail) for up to 24 months after the ticket is resolved, then deleted; deleted earlier on request
• Billing and credit transaction records — retained as required by applicable tax and accounting law, de-identified where possible

5. Sale of Personal Information

We do not sell, rent, lease, or otherwise share your personal information or your store visitors' personal information with third parties for monetary or other valuable consideration. We do not disclose personal information to third parties for their own marketing or advertising purposes. The only third-party sharing that occurs is strictly limited to the service providers listed in Section 3, each of which processes data on our behalf under a data processing agreement.

6. International Data Transfers

Studio processes data in regions operated by Google Cloud, Cloudflare, Amazon Web Services, and the providers listed above, which may include the United States, European Union, and other jurisdictions. Where required, transfers rely on Standard Contractual Clauses or equivalent safeguards.

7. GDPR, CCPA, and Data Subject Rights

Studio complies with GDPR, CCPA, and Shopify's mandatory compliance requirements. We implement the three required Shopify webhooks:

• Customer Data Request (customers/data_request) — we export all data associated with a customer within 30 days
• Customer Data Erasure (customers/redact) — we delete all customer-associated data (including customer photos, Body Profile, and pixel events) within 30 days
• Shop Data Erasure (shop/redact) — we delete all store data (including both studio-private and studio-assets R2 prefixes) after the merchant uninstalls the app

Our role under data protection law depends on the data type:

• For merchant account data, store catalog, orders, returns, and aggregated analytics, Studio acts as a data processor on behalf of the merchant (controller).
• For customer photos uploaded through the virtual try-on widget and Body Profile data (both provided directly by the shopper), Studio and the merchant act as joint controllers with respect to the decision to collect such data and its technical processing, while the merchant remains the primary controller responsible for consent, notice at the point of collection, and responding to shopper requests.

Store visitors may contact Studio directly at team@popsmart.ai to request access, correction, or deletion of their try-on photos or Body Profile, or they may contact the merchant — either route will result in erasure via the Shopify redact webhook or our internal cleanup procedure.

Step-by-step instructions for deleting data associated with Meta (Instagram, Facebook) and Pinterest integrations — including the uninstall timeline and the information required for a manual deletion request — are provided on our Data Deletion Instructions page.

8. Data Security

• TLS 1.2+ encryption for all data in transit
• AES-256-GCM encryption at rest for OAuth tokens and Body Profile data
• Private R2 buckets accessed only via short-lived signed URLs for customer photos
• MIME type and magic-byte validation on customer photo uploads
• EXIF/GPS metadata stripping before storage
• HMAC-signed webhooks and unsubscribe links
• SSRF protections on all external image URL fetches
• Role-restricted internal service access
• Regular security audits and dependency updates
• Incident response procedures aligned with Shopify security best practices

9. Children's Privacy

Studio is a B2B service for Shopify merchants. The virtual try-on widget may collect photographs from store visitors. Merchants who operate stores selling products intended for children under 13 (COPPA) or under 16 (GDPR) are responsible for obtaining verifiable parental consent before allowing minors to use the try-on widget. Studio does not knowingly collect photographs or personal data directly from children under these ages.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will provide reasonable advance notice of material changes via email or in-app notification. Continued use of Studio after the effective date constitutes acceptance of the updated policy.

11. Contact Us

For questions, data requests, or concerns about this Privacy Policy, contact us at: team@popsmart.ai. We respond within 7 business days to all privacy inquiries.

• Business Operator: 매드맨스튜디오 (MadmanStudio)
• Business Registration No.: 167-79-00541
• Data Protection Contact: team@popsmart.ai